Category: WordPress

WordPress sites get hacked for lots of reasons. Thankfully, most of these are entirely preventable with a few simple habits.

Way #1: Keep all your software up to date.

The majority of attacks are based on vulnerabilities that have already been discovered, published, and patches released. You need to make sure you’re applying updates to WordPress core, your plugins, your themes, and the server you’re running WordPress on. If you’re already on Burlington Bytes’ WordPress Hosting, rest easy – your updates are being applied and tested for you. If you’re self-hosting, it’s important to remember to check for updates often. Better yet, you can use a plugin like WordFence to email you when there are new versions to install. It’s possible to set up your site to update automatically, but we discourage this if you are running a business site. Updates applied automatically can break functionality on your site, and you might not discover it until a customer tells you. We stress applying updates in a separate environment, checking to make sure everything looks and functions properly, before applying them on your live site. If you don’t install these patches, you’re a sitting duck – the exact details of the vulnerability are quite public by the time patches are available. One of the most widespread WordPress exploits was from a small script back in the day called TimThumb. This script permitted you to dynamically resize images before sending them to the visitor’s browser. Now, this functionality has been in WordPress core for quite a few years by now, but that wasn’t always the case. TimThumb was a great solution to a common problem until 2011 when someone discovered a way to abuse the script to download a backdoor onto the site. There are still sites that run TimThumb. A large number are patched, but a surprising number still contain this incredibly powerful exploit that’s been public for 5 years.

Way #2: Use Strong Authentication

Another incredibly common way sites are compromised is due to weak passwords. It doesn’t matter how good the rest of your security is if your password is “123456”, “password”, or “letmein”. If I just said your password, please – change it now. Those are literally the first three passwords many attackers will try – they’re some of the most common. A strong password consists of a mixture of lowercase and uppercase letters, numbers, and special characters. All users on the Burlington Bytes’ hosting platform are already required to have strong passwords. You should always avoid using your username, the site name, or any publicly available information about you or your company in your username. For extra security, you can use a plugin like Duo or WordFence Premium to enable multifactor authentication. MFA, or 2FA for short, requires you to enter a code from another device when logging in. This dramatically increases security in conjunction with strong passwords, because an attacker would need both your password and some way to generate your multifactor code, which requires a secret key stored on your device.

Way #3: Regularly Audit Who Has Access

Many data breaches today occurred through the credentials of someone who already had access. Sometimes the bearer of those credentials is complicit, but often their credentials have been stolen by someone else. This complicates investigating a hack because it may appear a trusted employee authenticated to your site and did damage when they may have had no knowledge of this attack at all. To protect against this, only grant site access to people you know and trust, and give users the least privileges needed. For example, if you’d like to have your entire company create content for your website, and that’s all they should be doing, there’s no reason to create them Administrator accounts. WordPress comes with a variety of default user roles – for example, the Editor role would be a much better fit for such a situation. By enforcing a policy of “least privilege,” the potential for damage from rogue users and stolen credentials can be minimized.

Way #4: Check Your Automated Backups

Okay, you got me – this isn’t actually a way to prevent an attack, but a way to save yourself if you are hacked. If you don’t currently have automated backups on your site, you’re at risk of losing days, weeks, months, or all of the time and money you’ve put into it. Manual backups are not enough – it’s too easy to forget to run a site backup on time, every time. We recommend daily, automated backups during your lowest daily traffic period – typically from the hours of 2am-4am. This works well for most people. However, if you do a lot of content editing or depend on your site’s eCommerce, you may need more frequent backups. If you need to restore from a daily backup, you may lose up to a day’s work, but on average less than that. All customers signed up for Burlington Bytes hosting have automated, daily backups included in their subscription. It’s also important you periodically test your backups to make sure they are functioning properly.

Way #5: Never Install “Nulled” Plugins or Themes

A “nulled” plugin has been “cracked” – pirated, with the code modified to disable license checks. Although some “nulled” plugins may appear to function just like the paid version of the plugin, many of them have backdoors installed. When it comes to your business site – it just doesn’t pay to take the chance. Legally purchased plugins or themes provide assurance you are installing genuine software. In addition, you are supporting the developers, and that helps to bring you newer, improved versions. Software piracy is a serious matter, and you can be held criminally responsible for copyright infringement.

Stay safe and happy blogging!

This post’s image is a derivative work by Burlington Bytes of the WordPress Dashicons, and as such is licensed as GPLv2.

At Burlington Bytes, we’re primarily a WordPress shop. We do everything from building websites, to hosting and supporting websites, to building custom WordPress themes and plugins. We love WordPress because its simple enough for a layperson to build a website, but extensible enough for our designers and developers to build almost anything we can imagine.

When you first download and install WordPress on your server, the first big question is “What do I want this site to look like?” WordPress uses a theming system to handle the visual appearance of a site. Right out of the box WordPress will ship with a few different default themes from previous years, named after their respective year. If you’re not struck by any of the default themes, you can find free WordPress themes in the WordPress Theme Directory, or purchase “Premium” themes on a marketplace like Themeforest. At Burlington Bytes, we’ll sometimes start with a free or purchased theme and customize it for our client using a Child Theme. More and more, we’ve been designing and developing totally custom themes using our own Bootstrap starter theme which lets us build responsive websites very efficiently.

Themes are built following a very specific format, using a combination of PHP, HTML, CSS, and JS. The best way to learn how to build and modify themes is to set up a WordPress and dig in. If you’re on a live site, you should make a “development” copy of your site to avoid knocking the site offline if you make an error. You’re going to want to use a FTP program such as Filezilla, we don’t recommend ever using the built-in file editor. Take frequent backups so you can restore, or better yet, use git or another form of version control.

Twenty Sixteen is this year’s default theme and is currently running on 600,000 active websites. If you know what to look for, you’re going to see this theme all over the web for the next couple years.

Twenty Sixteen is responsive, with a mobile-first design. Instead of being built for laptops/desktops with functionality to scale it down, this theme is built with mobile devices as the primary intended audience, and will scale up for laptops/desktops. This is becoming a popular method of development as mobile usage continues to grow rapidly.

Twenty Sixteen is built for all audiences. The theme has been deemed “Accessibility ready”, meaning its built to be accessible to audiences that may have disabilities. According to the W3C’s Web Accessibility Initiative, there’s a lot that needs to be considered, from how the site zooms, how well it can be parsed by a screen-reading program, and a host of other auditory, cognitive, neurological and physical considerations. Twenty Sixteen is also RTL translation-ready, meaning it can be easily translated into a variety of languages for global audiences.

Finally, Twenty Sixteen is just another step in the WordPress community’s continual work towards being a platform that is approachable for all audiences. It has a variety of color schemes built in, and is incredibly to use for anyone to get a website up and running with a minimal knowledge of code. We’d encourage you to jump in head-first and start building. If you break something, or want to take your website to the next-level, don’t hesitate to get in touch with our team of WordPress experts at Burlington Bytes.